When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, the JSON response contains a “user not found” message which leaks information about which accounts already exist. Affected Versions: Grafana <=8.x, Grafana <=9.x
Deptopia refers to version 5.2.3-4.el7cp for ceph 3 (which matches with a manual search of the most recent release's source code), thus affected and OOOS, and uses Grafana container for Ceph 4 and 5. Grafana container: Ceph 4.x uses golang:1.11.4 as the base to get grafana from. This was released significantly prior to the bugs in 9.2.0 and 9.2.1, but 5.x<=8.x to affected and trackers filed. Ceph 5.3 (RC and thus the only potentially affected version) uses Grafana 8.3.5, and all the potential bug fixes are from prior to the http://tracker.ceph.com/issues/48*, which is when the affected timeline begins. Ceph 5.2 (most recent published verison) uses Grafana 8.3.5 and https://pkg.go.dev/github.com/grafana/grafana (from golang olang:1.17.6-alpine3.15), in the grafana container, published in 2019. Thus, affected as 8.3.5 <= 8.x In the case of gluster. Last release was in Feb. I also dug into the source code for gluster, we're running 5.2.4 as Deptopia verifies. 5.x<=8.x, so marked as affected and trackers filed.
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2141185]
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420